Recently, Oath, a wholly-owned subsidiary of Verizon Communications agreed to pay $4.95 million to settle charges from the New York attorney general’s office that the company’s online advertising business was violating federal law. This represents the largest penalty ever in a Children’s Online Privacy Protection Act (“COPPA”) enforcement matter. This settlement underscores that COPPA compliance remains an important issue with real penalties for non-compliance since being enacted in 1998. As a reminder, companies that target U.S. children must comply with U.S. privacy laws, including COPPA, regardless of where they are based.

Oath, which until June 2017 was known as AOL Inc. (“AOL”), ran services that enabled what is known as targeted advertising, the serving of specific ads to sets of individuals, based on information collected about these individuals. Advertisers are interested in serving ads to those they believe are most likely to be interested in their products, which makes this practice very lucrative. Companies that can allow advertisers to filter by their desired demographic characteristics, including specific interests as expressed through browsing history, can charge more per ad than they would be able to otherwise.

Companies that operate targeted advertising often do so in part through the use of small text files placed on the computers of users, called cookies. These cookies may be updated with information based on actions users take online, including which websites are visited. Companies can then use this information to run an ad exchange, effectively allowing companies to bid on advertising space based on collected characteristics, and demographic information. The use of such cookies became more problematic for companies when the definition of “personal information” protected under COPPA was revised to include persistent identifiers, including those present within cookies, and Internet Protocol (“IP”) addresses in 2013.

Oath, then AOL, operated ad exchanges that collected personal information from children by running its ad exchanges on websites that it knew to be directed to children, such as Roblox.com and Sweetyhigh.com. AOL received knowledge that these websites were directed to children both from their own clients, and by making its own determination, conducting not less than 750 million auctions of display ad space from these websites. Prior to November 2017, AOL’s systems ignored any information that it had that the website was subject to COPPA.

In addition to paying the $4.95 million fine, as part of the settlement, Oath agreed to adopt comprehensive reforms, including designating an individual to oversee the program, annual training, implementing and monitoring appropriate controls, and retaining an objective third-party to assess the implemented controls. Further, it must make its ad exchange COPPA compliant by implementing and maintaining appropriate functionality, and disclose to each bidder that the ad space at issue is subject to COPPA. Additionally it must destroy all personal information it has collected from children unless it is legally required to maintain the information.

Companies in this space would be wise to consider whether their existing COPPA compliance programs meet regulatory requirements and are being enforced at the corporate level. Unfortunately for AOL, although it had policies prohibiting non-compliant use of ad exchanges on COPPA covered websites in a non-compliant manner, these policies were not observed. If you have any questions regarding COPPA compliance, please do not hesitate to contact the team at Mintz.

Published

Viewpoint Topics

Professionals

Share

Related Practices

Authors

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.